enforceFIPSPolicy flag in web.config doesn't seem to working for web application

Asked 11/7, 2011 at 15:48 Answered 11/7, 2018 at 15:18

I'm trying to set up a web application to work in an environment where the FIPSAlgorithmPolicy is set to 1 in the Windows registry (specifically, HKLM/SYSTEM/CurrentControlSet/Control/Lsa). When this flag is enabled, any call to the class MD5CryptoServiceProvider will cause an Invalid Operation Exception to be thrown with the following stack trace:

[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
   System.Security.Cryptography.RijndaelManaged..ctor() +10480142
   System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +439
   System.Web.Configuration.MachineKeySection.EnsureConfig() +152
   System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +48
   System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +381
   System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +59
   System.Web.UI.HiddenFieldPageStatePersister.Save() +89
   System.Web.UI.Page.SaveAllState() +1117
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3864

Based on what I read in this article, you're supposed to be able to add the following to your config file to disable the algorithm check:

<configuration>
    <runtime>
        <enforceFIPSPolicy enabled="false"/>
    </runtime>
</configuration>

This works for me in a test Console application by modifying its app.config. However, it doesn't seem to work when a modify a .NET 2.0 web application's web.config.

What's interesting to me is that even though I'm catching all exceptions when I go instantiate an MD5CryptoServiceProvider in code, it doesn't seem to even make it to that portion of my code. This is the code that's called in my test app:

    protected string printSomething()
    {
        string toPrint = String.Empty;
        try
        {
            MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
            toPrint = "Created algorithm.";
        }
        catch (Exception e)
        {
            toPrint = e.ToString();
        }
        return toPrint;
    }

And this is what I see when I visit the page:

screenshot of YSOD

So this brings up a couple of questions:

Why is IIS throwing a YSOD instead of allowing my app to catch the exception?
What do I need to do so that my web app is able to use <enforceFIPSPolicy enabled="false"/>?

Middlesworth answered 11/7, 2011 at 15:48 Comment(1)

This works to disable fips check for a specific application pool. – Gastrovascular 22/8, 2018 at 14:41

1). Your code isn't throwing the exception. ASP.NET is doing something else. ASP.NET is trying to serialize the ViewState; which can be encrypted by the machine key. When ASP.NET does this internally; it uses the RijndaelManaged class (which is not FIPS 140 compliant; and blows up. Likewise; when ASP.NET tries to encrypt / decrypt a forms authentication ticket; it will use the machine key as well.

You have a few options for the Machine Key issue. You can use 3DES (which will always use a FIPS compliant implementation by setting the MachineKey in your web.config to look like this:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES" />

2). I'm not sure why your flag is being ignored. It shouldn't be. I'll edit if I figure anything out.

Note that the MD5CryptoServiceProvider might still bomb. MD5 is not a FIPS compliant hash. As far as I know; only the SHA-1 and SHA-2 hash algorithms are in .NET. The crypto functions that end in CryptoServiceProvider rely on the Windows CSP; which also acknowledges that flag. An alternative would be to use BouncyCastle instead of .NET's implementation since it doesn't care about that flag.

Marcello answered 11/7, 2011 at 16:1 Comment(5)

Great answer! The flag in the config should work with MD5CryptoServiceProvider. At least...it should in the sense that it works to allow that class when used in a console application. – Middlesworth 11/7, 2011 at 16:29

Ok, now I'm getting somewhere. Adding the machine key element gets me passed the YSOD and into my app. The exception is still being thrown, though. – Middlesworth 11/7, 2011 at 16:41

@Ben: Is it the MD5CryptoServiceProvider ctor that is actually bombing now? – Marcello 11/7, 2011 at 16:46

that's correct. I'm getting this from e.ToString():

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.MD5CryptoServiceProvider..ctor() at TestCryptoAspNet._Default.printSomething() in C:\code\TestCryptoAspNet\TestCryptoAspNet\Default.aspx.cs:line 23

– Middlesworth 11/7, 2011 at 16:57

@Ben - I'm still not sure why your flag is being ignored. At this point my only suggestion would be to use BouncyCastle. – Marcello 11/7, 2011 at 17:15

I think you need to update a few more files. From here

Go to C:\Program Files\Common Files\Microsoft Shared\DevServer\9.0 or whatever folder contains WebDev.WebServer.Exe
Create a text file named “WebDev.WebServer.Exe.config.” Be sure the extension is “config” and not “txt.”
Add the following text to the file.

<configuration> <runtime> <enforceFIPSPolicy enabled="0" /> </runtime> </configuration>
If the ASP.NET Development Server is running, stop it. You can do this by right-clicking its icon in the system tray and selecting Stop.
Go to C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\ or whatever folder contains devenv.exe.config.
Add the following line to the runtime section of devenv.exe.config.

<enforceFIPSPolicy enabled=”0” />
If Visual Studio is open then close it and open it again.

Some addition things to try

Double check that you don't have in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.
ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The RijndaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms. To solve this, you can specify a different algorithm in your web.config using this line: <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Its also confirms here by MSFT that you get the same error. To fix it:

In a text editor such as Notepad, open the application-level Web.config file. In the Web.config file, locate the section. Add the following section to in the section:

`<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>`

Save the Web.config file. Restart the Microsoft Internet Information Services (IIS) service. To do this, run the following command at a command prompt: iisreset

Branen answered 11/7, 2011 at 16:2 Comment(3)

That's true if you are using Cassini as a web server. However; the question states that IIS is being used. I'm not entirely sure why changing Visual Studio's policy would be required; either. – Marcello 11/7, 2011 at 16:7

@Marcello - Yup you are right. It looks like the issue is related to ASP using RijndaelManaged to process the view state data. The fix will be to change it to 3DES like suggested. – Branen 11/7, 2011 at 16:15

So, actually, I like to avoid changing configs in files only VS will use locally (like devenv.exe.config and WebDev.WebServer.Exe.config), unless I know what files will need to be changed on the server in order to run my app, there, too. This answer could be improved by giving those files and paths that would need updating on the server, or explaining that there won't be any needed changes there, other than the web.config update, and why it's needed on a workstation running the app locally in VS, but not the server. – Galilean 24/6, 2016 at 15:4

As you've found, the web.config entry doesn't work, at least in iis 7.5 forward. Instead, you need to use an application pool configuration file, as described here

Alforja answered 5/9, 2017 at 20:31 Comment(0)

So, even though this is old, it's still a bit relevant. The setting

<configuration>
   <runtime>
      <enforceFIPSPolicy enabled="false" />
   </runtime>
</configuration>

goes in aspnet.config in the Framework and/or Framework64 .net folders. This bypass setting works on an application config file. Web.config is not an application configuration file.

Strephon answered 11/7, 2018 at 15:18 Comment(0)

Recommended topics

Hot tags